Hey Metik, Thank you so much for your assistance on this issue. I really appreciate it.
Yes I agree with you on the mod_xml_curl solution. However, as I was starting to pursue that, I ran into another issue. It appears as though I don't have access to any variables in the xml_curl POST that contain the IP of the UA. The only two variables with IPs (other than the switch IP) are: sip_contact_host=192.168.0.100 and ip=64.135.119.105 where the .105 is my proxy. :( Do you know of any way to get additional variables into the xml_curl POST? As far as my current use case, yes, you understand my needs correctly, with one slight modification, I want to use the IP acl+Auth with both REGISTERs and INVITEs. And yes, I agree with you that it is better to mitigate at the border, but I don't have that kind of infrastructure available yet. So do you have any other suggestions on a workaround with the xml_curl issue? Or should I include that with my bounty? Thanks, Bill Metik wrote: > Then it would appear that my original suggestion to use mod_xml_curl > would be best for now and you may need to offer a bounty for this > feature as others have suggested. Based on the sofia related snippets > presented--I would assume it would be trivial to implement since most of > the functionality is already there it just needs to be enhanced for your > purpose. It would also be extremely easy to do this in OpenSIPS as well > (using blacklists or avpops). > > Just so that I understand your dilemna, you want to reject an incoming > REGISTER associated with a specific user unless it comes from a fixed > location and if it does, you want to simply challenge it as usual to > prevent toll fraud? > > I have found that its best to mitigate an attack at ingress before it > even makes it to critical infrastructure (media gateways, > application/media servers, etc.). > > -metik > > Bill W. wrote: >> Hey Metik, >> >> Yes. Well, actually, I can have the cidr in two places in the directory. >> >> <user cidr="190.218.97.83/32" id="testphone01"> >> <params> >> <param name="auth-acl" value="190.218.97.83/32"></param> >> >> >From what I understand the cidr= parmeter is used in conjunction with >> the apply-inbound-acl parameter in the sofia profile to just allow >> someone to make calls from a certain IP without authenticating. >> >> And from what I understand the auth-acl= parameter is used to restrict a >> user to a particular cidr, but the user has to authenticate as well. >> >> *The second feature is the one I want to use.* I want to force users to >> authenticate, but only allow that authentication from a particular cidr >> as an added measure against toll fraud. >> >> And this appears to be causing the issue. Because once I specify the >> auth-acl parameter in the directory, sofia-reg enforces that acl. And >> unfortunately it's using the IP of the proxy, not of the user-agent. >> >> I looked in sofia.c and found this comment: >> /* >> * if network_ip is a proxy allowed to send calls, check for auth >> * ip header and see if it matches against the inbound acl >> */ >> >> And this coincides with my testing. >> I have <param name="apply-proxy-acl" value="ip_of_proxy"/> in my >> profile. I have my proxy sending the X-AUTH-IP header (verified with >> tcpdump). And yet the REGISTER is still being denied. >> >> So it appears that the apply-proxy-acl is set up to work with the >> apply-inbound-acl ( to allow users from an IP without authenticating) >> >> But that hasn't been carried over to sofia_reg.c, which appears to >> simply check the IP of who FreeSWITCH is talking to against the auth-acl >> cidr specified in the directory. (Line 1926) >> >> So I guess the question is, is my analysis correct? >> >> Thoughts anyone? >> >> Thanks, >> Bill >> >> >> >> >> >> >> Metik wrote: >> >>> Bill, >>> >>> I think you would add this to the user profile in the directory. The >>> "brian.xml" example (located in ${confdir}/directory/) provided with the >>> default/sample configuration files demonstrates how to to do this by >>> introducing a "cidr" attribute to the the "user" element. >>> >>> Example: >>> >>> <user id="7105551212" cidr="127.0.0.0/8//"> >>> <params> >>> <param name="password" value="opensaysme"/> >>> <param name="vm-password" value="14916"/> >>> </params> >>> <variables> >>> <variable name="user_context" value="default"/> >>> </variables> >>> </user> >>> >>> "http://wiki.freeswitch.org/wiki/Acl" contains some great info >>> (including a relevant example). >>> >>> -metik >>> >>> >> _______________________________________________ >> FreeSWITCH-users mailing list >> FreeSWITCH-users@lists.freeswitch.org >> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users >> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users >> http://www.freeswitch.org >> >> > > > _______________________________________________ > FreeSWITCH-users mailing list > FreeSWITCH-users@lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-users > UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users > http://www.freeswitch.org _______________________________________________ FreeSWITCH-users mailing list FreeSWITCH-users@lists.freeswitch.org http://lists.freeswitch.org/mailman/listinfo/freeswitch-users UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users http://www.freeswitch.org